Cannot ping or access remote network

sinmok15 · Feb 23, 2018, 9:48 AM

Hi all,

We're having trouble accessing remote machines over PfSense. We have the OpenVPN tunnel established without problem, but our office network cannot ping the local machines on the remote side. Both sides are running Pfsense.

Our setup is fairly simple:

Datacenter network - Running Pfsense (Open VPN server). Has a NIC mounted to the 10.10.0.0/24 network. Can only ping IPs on the 10.10.0.0 network

Office network - Running Pfsense (Open VPN client). Regular office networking running on 192.168.1.0/24 network. Can only ping IPs on the 192.168.1.0 network

The issue we're having is that our office network is not able to ping or communicate any remote machines running on the 10.10.0.0 network.

I've checked the routes on both local and remote sides and it looks correct.

See:

Office network routes https://i.imgur.com/1BhI01U.png
Office network cfg https://i.imgur.com/H9LVi57.png

Remote network routes https://i.imgur.com/5SRE0P0.png
Remote network cfg https://i.imgur.com/p0lwJeV.png

OpenVPN firewall settings office networkhttps://i.imgur.com/sMt0z8D.png
Open VPN firewall setting remote network https://i.imgur.com/8qLP3hX.png

Some other useful info:

The remote network IPs are statically set. There are no default gateways or DHCP involved for the internal private network (10.10.0.0)
I have tried turning off the firewall complete on a remote machine with no luck
The remote network is technically a virtual network, but there is no VLAN id

Any help would be greatly appreciated.

Thanks

viragomann · Feb 23, 2018, 11:10 AM

In the datacenter OpenVPN config you have to set office network (192.168.1.0/24) in the "Remote networks" field.
The local datacenter network makes no sense here.

sinmok15 · Feb 23, 2018, 5:46 PM

@viragomann:

In the datacenter OpenVPN config you have to set office network (192.168.1.0/24) in the "Remote networks" field.
The local datacenter network makes no sense here.

I've made the update and can now ping the internal IP of the data centre pfsense machine(10.10.0.4) from my workstation(192.168.1.144) but i still cannot ping outside of that machine (10.10.0.5, 10.10.0.6) etc

If it helps, I'm using the Peer to peer (shared key) method?

Thanks

moikerz · Feb 23, 2018, 6:00 PM

That is probably because most software firewalls only respond to devices on the same network (ie, your 10.10.0.0 network will only respond to pings from 10.10.0.0). So your pings from 192.168.1.0 are being blocked. Update each remote network firewall rules appropriately.

sinmok15 · Feb 23, 2018, 6:47 PM

Definitely not the firewall. ICMP packets are set to allow from everywhere in windows firewall.

moikerz · Feb 23, 2018, 6:57 PM

The pfSense firewalls look ok, albeit a little redundant (like the remote end is allowing IPv4-* and IPv4-TCP and IPv4-TCP/UDP, when just IPv4-* is sufficient). But I'm wondering why the rules all show "0/0B" for their states - those rules have not received any data whatsoever.

viragomann · Feb 24, 2018, 10:49 AM

The pfSense boxes have to be the default upstream gateway on both sites.
If that is not given you need either a static route for the remote network on each device which should communicate with it or youmust nat the packets on pfSense.

sinmok15 · Feb 26, 2018, 10:16 AM

@viragomann:

The pfSense boxes have to be the default upstream gateway on both sites.
If that is not given you need either a static route for the remote network on each device which should communicate with it or youmust nat the packets on pfSense.

The remote boxes have a default upstream gateway already to a WAN address. I was under the impression that having two default gateways on a box was a really bad idea.

How do I go about setting up NAT? I'm not sure which values i need to set on both sides

viragomann · Feb 26, 2018, 11:35 AM

So the pfSense local network address 10.10.0.4 is not set as default gateway on the remote machines?
You have garbled the vtnet0 address, so I assume it will be a public one, isn't it?